Academic Account Security – A Checklist for Developers, Students, and Teachers

The education sector faces cyberattacks no less than other areas. Over the past 2 years from ransomware attacks 60% of educational institutions in the USA were affected. Microsoft also established that 8 out of 10 registered cyberattacks took place in educational institutions.

The post-pandemic shift to remote and hybrid learning has become the norm, and this has inevitably attracted the attention of attackers. At the same time, thousands of personal devices (smartphones, tablets) are often connected to the university network and immediately to the global network.

This inevitably leads to vulnerabilities in the university’s IT infrastructure. What can intruders do by getting into it:

• get access to the financial part for the purpose of withdrawing funds from accounts;
• disrupt the availability of the platform to receive a reward for its restoration;
• gain access to educational materials in order to resell them on the black market at a lower price;
• get confidential information: thousands of documents, passports, student cards, telephone numbers, addresses and other data can fall into the wrong hands and be used for resale, issuing forged documents or taking out loans;
• gain access to personal data of students’ accounts in an unsecured network, and they can be related to mail, social networks and facilitate access to other data, for example, payment information;
• infect devices with viruses for the purpose of extortion.

Steps to improve security

Knowledge in the field of cybersecurity is becoming increasingly important, especially in the academic field, where databases with sensitive information are stored. Therefore, as cyber security experts, we recommend developing a list of rules that will help increase protection.

Basic recommendations for developers of web applications for academies

• Regularly conduct a security audit of your platform (can be engaged for this reliable verified agency) to identify vulnerabilities and exploit them in a timely manner;
• use secure cloud services in order to be able to protect against DDos attacks and reduce the cost of data storage in the presence of constantly growing traffic;
• install software (such as Gluu) to identify users and control user access to the system based on their role (administrator or user);
• store all versions of the software product on alternative media (in the same cloud) to be able to quickly restore data even if hackers try to destroy it;
• train and retrain employees to keep abreast of the latest trends in information security;
• use advanced technologies to protect your users’ accounts — in particular two-factor authentication: secure accounts with OTP passwords, electronic digital signature, fingerprint or security keys, that prevent phishing attacks;
• develop a security policy in your educational institution for each role and introduce it to everyone involved: administrators, teachers, students.

Basic recommendations for students and teachers

• Always use the most complex passwords possible and change them more often to prevent attackers from picking passwords;
• connect two-factor authentication to your account, if your platform offers this option;
• try not to use public Wi-Fi networks, at least connect via VPN if you need to make payments, and remember to log out of accounts after visiting them;
• store passwords in a safe place toprevent them from being stolen;
• create separate mailboxes for personal mail and for use in your educational institution, so that an attacker cannot get more important personal information if access to work email is lost;
• carefully check the addresses of links in the newsletters sent to you and do not enter passwords or bank card details on suspicious sites;
• read instructions, undergo training and follow safety recommendations, if such are offered by the administration;
• use security keys to reliably protect against phishing and/or not worry about where to store passwords.

Benefits of security keys:

• opening accounts with keys is easy and convenient, it is similar to how you open an apartment or a personal car;
• no one will be able to open the account without the physical key, so even if the password is picked up, stolen or compromised by you on a phishing site, the fraudster will still not be able to access your account;
• hardware keys can have different form factors (if you use YubiKey keys – an American manufacturer), so they can be easily converted for any devices;
• YubiKeys do not require drivers to be downloaded and “work right out of the box”.

You can read more about security keys in our review.

Which security keys are better to use

As security experts with 30 years of experience and as an official distributor of the American company Yubico, we recommend from the list two main product lines for all educational institutions:

• YubiKey FIPS — keys for administrators or managers who manage the accounts of other participants and have access to critical information;

YubiKey FIPS

• YubiKey Security Key — найдешевша серія, яка має мінімальний набір функцій, доступна як для викладачів, так і для студентів, які ще не мають доходу.

YubiKey Security Key

For IT academies that require the use of more expensive and complex equipment, we recommend the keys of the YubiKey 5 and YubiKey Bio series. The former have more features and a choice of form factors for whatever devices you use. Others have additional protection with a fingerprint sensor.

Yubikey 5

YubiKey Bio